{Secure Infrastructure as code/ K8s / Helm / Docker with Github Action}
Sangam Biradar
Technical Advocate
Tenable
# Github Action
# Github Repository
- Push
- Pull Request ( open , merged )
- issue ( created , closed...)
- schedule ( every 10 pm)
- external event
Workflow
# Github Server
Virtual Machine Instance
- Linux , windows , MacOS with Tools Installed or Docker Container
Job
Step 1
(action)
Step 2
(action)
Step 3
(CMD)
- Linux , windows , MacOS with Tools Installed or Docker Container
Step 2
(action)
Step 3
(CMD)
Step 1
(action)
Job
# Multiple Jobs in Github Action
Job
Virtual Machine Instance
- Linux , windows , MacOS with Tools Installed or Docker Container
Job
Step 1
(action)
Step 2
(action)
Step 3
(CMD)
- Linux , windows , MacOS with Tools Installed or Docker Container
Step 2
(action)
Step 3
(CMD)
Step 1
(action)
Job
Virtual Machine Instance
- Linux , windows , MacOS with Tools Installed or Docker Container
Step 1
(action)
Step 2
(action)
Step 3
(CMD)
# Github Hosted Runner
- Linux , window or MacOs virtual environments with Commonly-used pre-installed software
- Maintained by Github
- You Cannot Customise the hardware configuration
1. create git repo
2. create directory .git/workflow
3. write GitHub Action
# Open Source at
Tenable
https://github.com/accurics/terrascan
Key features
500+ Policies for security best practices
Scanning of Terraform (HCL2)
Scanning of Kubernetes (JSON/YAML), Helm v3, and Kustomize
Scanning of Dockerfiles
Support for AWS, Azure, GCP, Kubernetes, Dockerfile, and GitHub
Integrates with docker image vulnerability scanning for AWS, Azure, GCP,
Harbor container registries.
Terrascan Github Action
Terraform
1.
2.
Kubernetes
3.
Helm Chart
# IAC
4.
Kustomize
5.
Docker
on: [push]
jobs:
terrascan_job:
runs-on: ubuntu-latest
name: terrascan-action-terraform
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Scan Terraform
id: terrascan
uses: accurics/terrascan-action@main
with:
iac_type: 'terraform'
iac_version: 'v14'
policy_type: 'aws'
only_warn: true
sarif_upload: true
iac_dir: 'test_dirs/fail/'
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: terrascan.sarif
# Terraform
# Kubernetes
on: [push]
jobs:
terrascan_job:
runs-on: ubuntu-latest
name: terrascan-action-terraform
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Scan Terraform
id: terrascan
uses: accurics/terrascan-action@main
with:
iac_type: 'k8s'
iac_version: 'v1'
policy_type: 'k8s'
only_warn: true
sarif_upload: true
iac_dir: 'test_dirs/k8s/'
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: terrascan.sarif
# Custom Policies
on: [push]
jobs:
terrascan-docker:
runs-on: ubuntu-latest
name: terrascan-action-docker
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Scan docker custom
id: terrascan-k8s
uses: accurics/terrascan-action@main
with:
iac_type: 'docker'
iac_version: 'v1'
policy_type: 'docker'
only_warn: true
sarif_upload: true
#non_recursive:
iac_dir: 'test_dirs/custom-policies/'
policy_path: 'test_dirs/custom-policies/'
#skip_rules:
#config_path:
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: terrascan.sarif
Input: iac_type
Description: Required IaC type (helm, k8s, kustomize, terraform).
Input: iac_dir
Description: Path to a directory containing one or more IaC files. Default ".".
Input: iac_version
Description: IaC version (helm: v3, k8s: v1, kustomize: v3, terraform: v12, v14).
:
Input: non_recursive
Description: Do not scan directories and modules recursively
:
Input: policy_path
Description: Policy path directory for custom policies.
:
Input: policy_type
Description: Policy type (all, aws, azure, gcp, github, k8s). Default all.
:
Input: skip_rules
Description: One or more rules to skip while scanning (example: "ruleID1,ruleID2").
:
Input: config_path
Description: Config file path.
:
Input: sarif_upload
Description: If this variable is included, a sarif file named terrascan.sarif will be generated with the results of the scan.
:
Input: verbose
Description: If this variable is included, the scan will show violations with additional details (Rule Name/ID, Resource Name/Type, Violation Category)
:
Input: iac_version
Description: IaC version (helm: v3, k8s: v1, kustomize: v3, terraform: v12, v14).
:
Input: find_vulnerabilities
Description: If provided, the scan output will display vulnerabilities for Docker images present in the IaC files.
:
Input: scm_token
Description: If provided, Terrascan will use the provided access token to retrieve private repositories from your source code management system.
:
Input: webhook_url
Description: If this variable is included, the scan results and the normalized config will be sent to the specified URL. If the variable is set along with config_path, then configs from the config path will be ignored.
:
Input: webhook_token
Description: Included this variable if the notification webhook url requires authentication.
:
package accurics
{{.prefix}}{{.name}}{{.suffix}}[expose.id]{
expose := input.docker_expose[_]
is_string(expose.config)
config := expose.config
checkPort(config)
}
{{.prefix}}{{.name}}{{.suffix}}[expose.id] {
expose := input.docker_expose[_]
is_array(expose.config)
config := expose.config
checkPortList(config)
}
checkPort(config) {
contains(config, "22")
}
checkPortList(config) {
contains(config[_], "22")
}
package accurics
{{.prefix}}{{.name}}{{.suffix}}[apt.id]{
apt := input.docker_expose[_]
conval := apt.config
port := split(conval, "/")
containsPortOutOfRange(port)
}
containsPortOutOfRange(ports) {
some i
port := ports[i]
to_number(port) > 65535
}
# Docker Expose
FROM ubuntu:latest
LABEL MAINTAINER "sangam"
ENV SECRET AKIGG23244GN2344GHG
ENV GITLAB_API_ID gig32oig3bgi34gb43gb43uigb43i
WORKDIR /app
ADD app /app
COPY README.md /app/README.md
ADD code /tmp/code
RUN apt-get udpate
EXPOSE 65539
RUN apt-get update && apt-get install -y htop
CMD ["/bin/bash", "/app/entrypoint.sh"]
# Dockerfile
Demo Time
Give a Git star to Terrascan Repo
Secure Infrastructure as Code / k8s / Helm Charts with Github Action
By Sangam Biradar
Secure Infrastructure as Code / k8s / Helm Charts with Github Action
- 1,119